CCPA Compliance

Draper Goren Holm, LLC

PRIVACY NOTICE FOR CALIFORNIA RESIDENTS

Effective Date: January 1, 2020

This Privacy Notice for California Residents supplements the information contained in Draper Goren Holm, LLC (“we,” “us,” “our” or “Company”) https://drapergorenholm.com/privacy and applies solely to all visitors, users, and others who reside in the State of California (”consumers” or “you”). We adopt this notice to comply with the California Consumer Privacy Act of 2018 (“CCPA”) and any terms defined in the CCPA have the same meaning when used in this notice.

Information We Collect

Our Website collects information that identifies, relates to, describes, references, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or device (”personal information”). In particular, Company’s website (drapergorenholm.com) has collected the following categories of personal information from its consumers within the last twelve (12) months:

Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.

YES

E. Biometric information.

Genetic, physiological, behavioral, and biological characteristics, or activity patterns used to extract a template or other identifier or identifying information, such as, fingerprints, faceprints, and voiceprints, iris or retina scans, keystroke, gait, or other physical patterns, and sleep, health, or exercise data.

NO

F. Internet or other similar network activity.

Browsing history, search history, information on a consumer’s interaction with a website, application, or advertisement.

Company obtains the categories of personal information listed above from the following categories of sources:

Directly from you. For example, from forms you complete or products and services you purchase.

Indirectly from you. For example, from observing your actions on our Website.

Use of Personal Information

We may use or disclose the personal information we collect for one or more of the following business purposes:

To fulfill or meet the reason you provided the information. For example, if you share your name and contact information to request a price quote or ask a question about our products or services, we will use that personal information to respond to your inquiry. If you provide your personal information to purchase a product or service, we will use that information to process your payment and facilitate delivery. We may also save your information to facilitate new product orders or process returns.

To provide you with support and to respond to your inquiries, including to investigate and address your concerns and monitor and improve our responses.

To help maintain the safety, security, and integrity of our Website, products and services, databases and other technology assets, and business.

For testing, research, analysis, and product development, including to develop and improve our Website, products, and services.

To respond to law enforcement requests and as required by applicable law, court order, or governmental regulations.

As described to you when collecting your personal information or as otherwise set forth in the CCPA.

To evaluate or conduct a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of Draper Goren Holm, LLC’s assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which personal information held by Draper Goren Holm, LLC about our Website users is among the assets transferred.

Company will not collect additional categories of personal information or use the personal information we collected for materially different, unrelated, or incompatible purposes without providing you notice.

Sharing Personal Information

Company may disclose your personal information to a third party for a business purpose. When we disclose personal information for a business purpose, we enter a contract that describes the purpose and requires the recipient to both keep that personal information confidential and not use it for any purpose except performing the contract.

We share your personal information with the following categories of third parties:

Service providers.

Disclosures of Personal Information for a Business Purpose

In the preceding twelve (12) months, Company has disclosed the following categories of personal information for a business purpose:

The CCPA provides consumers (California residents) with specific rights regarding their personal information. This section describes your CCPA rights and explains how to exercise those rights.

Access to Specific Information and Data Portability Rights

You have the right to request that Company disclose certain information to you about our collection and use of your personal information over the past 12 months. Once we receive and confirm your verifiable consumer request (see Exercising Access, Data Portability, and Deletion Rights), we will disclose to you:

The categories of personal information we collected about you.

The categories of sources for the personal information we collected about you.

Our business or commercial purpose for collecting or selling that personal information.

The categories of third parties with whom we share that personal information.

The specific pieces of personal information we collected about you (also called a data portability request).

If we sold or disclosed your personal information for a business purpose, two separate lists disclosing:

sales, identifying the personal information categories that each category of recipient purchased; and

disclosures for a business purpose, identifying the personal information categories that each category of recipient obtained.

Deletion Request Rights

You have the right to request that Company delete any of your personal information that we collected from you and retained, subject to certain exceptions. Once we receive and confirm your verifiable consumer request (see Exercising Access, Data Portability, and Deletion Rights), we will delete (and direct our service providers to delete) your personal information from our records, unless an exception applies.

We may deny your deletion request if retaining the information is necessary for us or our service provider(s) to:

Complete the transaction for which we collected the personal information, provide a good or service that you requested, take actions reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform our contract with you.

Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities.

Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the information’s deletion may likely render impossible or seriously impair the research’s achievement, if you previously provided informed consent.

Enable solely internal uses that are reasonably aligned with consumer expectations based on your relationship with us.

Comply with a legal obligation.

Make other internal and lawful uses of that information that are compatible with the context in which you provided it.

Exercising Access, Data Portability, and Deletion Rights

To exercise the access, data portability, and deletion rights described above, please submit a verifiable consumer request to us by either:

Submitting a ticket to customer service through your Account Management Panel (AMP).

Only you, or a person registered with the California Secretary of State that you authorize to act on your behalf, may make a verifiable consumer request related to your personal information. You may also make a verifiable consumer request on behalf of your minor child.

You may only make a verifiable consumer request for access or data portability twice within a 12-month period. The verifiable consumer request must:

Provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative.

Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.

We cannot respond to your request or provide you with personal information if we cannot verify your identity or authority to make the request and confirm the personal information relates to you.

Making a verifiable consumer request does not require you to create an account with us. However, we do consider requests made through your password protected account sufficiently verified when the request relates to personal information associated with that specific account.

We will only use personal information provided in a verifiable consumer request to verify the requestor’s identity or authority to make the request.

We endeavor to respond to a verifiable consumer request within forty-five (45) days of its receipt. If we require more time up to 90 days), we will inform you of the reason and extension period in writing.

If you have an account with us, we will deliver our written response to that account. If you do not have an account with us, we will deliver our written response by mail or electronically, at your option.

Any disclosures we provide will only cover the 12-month period preceding the verifiable consumer request’s receipt. The response we provide will also explain the reasons we cannot comply with a request, if applicable. For data portability requests, we will select a format to provide your personal information that is readily useable and should allow you to transmit the information from one entity to another entity without hindrance, specifically in .PDF, .TXT, or .DOC format.

We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.

Personal Information Sales Opt-Out and Opt-In Rights

If you are 16 years of age or older, you have the right to direct us to not sell your personal information at any time (the “right to opt-out”). We do not sell the personal information of consumers we actually know are less than 16 years of age, unless we receive affirmative authorization (the “right to opt-in”) from either the consumer who is between 13 and 16 years of age, or the parent or guardian of a consumer less than 13 years of age. Consumers who opt-in to personal information sales may opt-out of future sales at any time.

To exercise the right to opt-out, you (or your authorized representative) may submit a request to us by emailing us at privacy@drapergorenholm.com

You do not need to create an account with us to exercise your opt-out rights. We will only use personal information provided in an opt-out request to review and comply with the request.

Non-Discrimination

We will not discriminate against you for exercising any of your CCPA rights. Unless permitted by the CCPA, we will not:

Deny you goods or services.

Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties.

Provide you a different level or quality of goods or services.

Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.

However, we may offer you certain financial incentives permitted by the CCPA that can result in different prices, rates, or quality levels. Any CCPA-permitted financial incentive we offer will reasonably relate to your personal information’s value and contain written terms that describe the program’s material aspects. Participation in a financial incentive program requires your prior opt in consent, which you may revoke at any time.

Other California Privacy Rights

California’s “Shine the Light” law (Civil Code Section § 1798.83) permits users of our Website that are California residents to request certain information regarding our disclosure of personal information to third parties for their direct marketing purposes. To make such a request, please send an email to privacy@drapergorenholm.com or write us at:

Company reserves the right to amend this privacy notice at our discretion and at any time. When we make changes to this privacy notice, we will post the updated notice on the Website and update the notice’s effective date. Your continued use of our Website following the posting of changes constitutes your acceptance of such changes.

Contact Information

If you have any questions or comments about this notice, the ways in which Company collects and uses your information described below and in the Privacy Policy https://drapergorenholm.com/privacy, your choices and rights regarding such use, or wish to exercise your rights under California law, please do not hesitate to contact us at:

NOTE: While Section 1798.110(c)(5) does list “the specific pieces of personal information the business has collected about that consumer” as a required piece of information in the online privacy disclosure, this is likely a statutory drafting error (see Practice Note, Understanding the California Consumer Privacy Act (CCPA): History of the CCPA). Businesses should probably interpret this requirement as referring to the consumer’s specific information (access) rights and not as a requirement to include individual personal information in the online privacy notice (see Practice Note, Understanding the California Consumer Privacy Act (CCPA): Specific Information Rights).

Cal. Civ. Code § 1798.115(c)

If a business sells personal information or discloses personal information for a business purpose, it must disclose the personal information categories:

Sold or include a statement that it has not sold personal information.

Disclosed for a business purpose or include a statement that it has not disclosed personal information.

If a business sells personal information to third parties, it must provide notice to consumers that:

It may sell their information.

Consumers have the right to opt-out of these sales.

Cross-references Section 1798.135(a) for notice requirements.

Cal. Civ. Code § 1798.125(b)(2) and (3)

If a business offers financial incentives for personal information collections, sales, or deletions, it must notify consumers of the financial incentives and clearly describe material terms.Cross-references Section 1798.135 for notice requirements.

Cal. Civ. Code § 1798.130

Primary section discussing both general and specific notice requirements. Cross-references:

Section 1798.100 (statute introduction and general establishment of information rights).

Section 1798.105 (deletion right).

Section 1798.110 (disclosures for business that collects personal information).

Section 1798.115 (disclosures for business that sells personal information or discloses personal information for a business purpose).

Section 1798.125 (non-discrimination rights).

Subsections related to general or public disclosures and notices described below.

Cal. Civ. Code § 1798.130(a)(1)

Must make available two or more designated methods for submitting verified consumer requests for information disclosures required under:

Section 1798.110 (disclosures for business that collects personal information).

Section 1798.115 (disclosures for business that sells personal information or discloses personal information for a business purpose).

Contact methods must include, at minimum:

Toll-free telephone number.

Website address, if the business maintains an internet website.

Cal. Civ. Code § 1798.130(a)(5)

Must disclose the following information:

A description of the following consumer rights and one or more methods for submitting consumer requests:

Section 1798.110 (disclosures for business that collects personal information);

Section 1798.115 (disclosures for business that sells personal information or discloses personal information for a business purpose); and

Section 1798.125 (non-discrimination rights).

A list of the personal information categories the business collected in the preceding 12 months.

A list of the personal information categories the business sold in the preceding 12 months or a statement that no sales took place.

A list of the personal information categories the business disclosed for a business purpose in the preceding 12 months or a statement that no disclosures took place.

The lists must use the 11 categories enumerated in the personal information definition in Section 1798.140(o) that most closely describe the personal information.

Disclosure must occur:

In the business’s online privacy policy, if it exists.

In any California-specific description of consumer’s privacy rights, if it exists.

On its internet website, if the business does not maintain an online privacy policy or California-specific description of rights.

Must update this information at least once every 12 months.

Cal. Civ. Code § 1798.135

Disclosures and operational requirements for the consumer’s sale opt-out and opt-in rights, established in Section 1798.120.Subsections related to general or public disclosures and notices described below.NOTE: While Section 1798.125 (non-discrimination right) cross-references this section for its notice requirement, this section does not directly address or reference Section 1798.125 ‘s disclosure requirements.

Cal. Civ. Code § 1798.135(a)(1)

If a business sells personal information, it must provide a clear and conspicuous link on the business’s internet homepage to a webpage titled “Do Not Sell My Personal Information,” that enables the consumer or authorized representative to opt-out of personal information sales, in a form reasonably accessible to consumers.Must not require consumers to create an account to exercise their opt-out rights.

Cal. Civ. Code § 1798.135(a)(2)

If a business sells personal information, it must include a description of the consumer’s opt-out/opt-in right under Section 1798.120 and a link to the “Do Not Sell My Personal Information” webpage in:

Any online privacy policies that exist.

Any California-specific description of consumer’s privacy rights that exist.

Cal. Civ. Code § 1798.135(b)

Gives businesses the option of providing the “Do Not Sell My Personal Information” notice and links required by this section on a separate and additional California- specific website homepage, instead of the general public homepage, if the business takes reasonable steps to ensure California consumers land on the California homepage instead of the general homepage.

Establishes the California Attorney General’s rulemaking authority, including for the CCPA’s different notice requirements.

COMPARISON OF KEY REQUIREMENTS UNDER THE CCPA AND THE GDPR

(Note, this is not a comprehensive list of all measures required under the CCPA or GDPR)

CCPA

GDPR

Comparison

Who is Regulated?

Any for-profit entity doing business in California, that meets one of the following:

Has a gross revenue greater than $25 million.

Annually buys, receives, sells, or shares the personal information of more than 50,000 consumers, households, or devices for commercial purposes.

Derives 50 percent or more of its annual revenues from selling consumers’ personal information.

The law also applies to any entity that:

Controls or is controlled by a covered business.

Shares common branding with a covered business, such as a shared name, service mark, or trademark.

Parts of the CCPA apply specifically to:

Service providers.

Third parties.

Data controllers and data processors:

Established in the EU that process personal data in the context of activities of the EU establishment, regardless of whether the data processing takes place within the EU.

Not established in the EU that process EU data subjects’ personal data in connection with offering goods or services in the EU, or monitoring their behavior.

The scope and territorial reach of the GDPR is much broader.Substantially different in parties regulated.

Who is Protected?

Consumers, defined as California residents that are either:

In California for other than a temporary or transitory purpose.

Domiciled in California but are currently outside the State for a temporary or transitory purpose.

Consumers include:

Customers of household goods and services.

Employees.

Business-to- Business transactions.

Data subjects, defined as identified or identifiable persons to which personal data relates.

Substantially different in approach, but similarly broad in effect.Both laws focus on information that relates to an identifiable natural person, however the definitions differ.Both have potential extraterritorial effects that businesses located outside the jurisdiction must consider.

What Information is Protected?

Personal information that identifies, relates to, describes, is capable of being associated with, or may reasonably be linked, directly or indirectly, with a particular consumer or household.The statutory definition includes a list of specific categories of personal information.Personal information does not include certain publicly available government records. The CCPA also excludes certain personal information covered by other sector specific legislation from its coverage scope.

Personal data is any information relating to an identified or identifiable data subject.The GDPR prohibits processing of defined special categories of personal data unless a lawful justification for processing applies.

Substantially similar. However, the CCPA definition also includes information linked at the household or device level.

Anonymous, Deidentified, Pseudonymous, or Aggregated Data

The CCPA does not restrict a business’s ability to collect, use, retain, sell, or disclose a consumer information that is deidentified or aggregated.However, the CCPA establishes a high bar for claiming data is deidentified or aggregated Pseudonymous data may qualify as personal information under the CCPA because it remains capable of being associated with a particular consumer or household. However, the statute does not clearly categorize or exclude pseudonymous data as personal information.

Pseudonymous data is considered personal data.Anonymous data is not considered personal data.While the GDPR does not mention deidentified data, the CCPA definition is similar to GDPR’s concept of anonymous data.

The CCPA and GDPR pseudonymization definitions are very similar and both require technical controls to prevent reidentification to qualify.The CCPA primarily discusses pseudonymization in the context of using personal information collected from a consumer for other purposes, for research. It does not appear to help businesses generally avoid the CCPA’s requirements.At this point, it is unclear how different the position under the GDPR is.

Third parties must also give consumers explicit notice and an opportunity to opt out before re-selling personal information that the third party acquired from another business.

Data controllers must provide detailed information about its personal data collection and data processing activities. The notice must include specific information depending on whether the data is collected directly from the data subject or a third party.

Similar disclosure requirements, but differences in the specific information required and the delivery methods.The CCPA notice requirements on personal information disclosed or sold to third parties only covers the 12 months preceding the request.

Security

The CCPA does not directly impose data security requirements. However, it does establish a right of action for certain data breaches that result from violations of a business’s duty to implement and maintain reasonable security practices and procedures appropriate to the risk arising from existing California law.

The GDPR requires data controllers and data processors to take appropriate technical and organizational measures to ensure a level of security appropriate to the risk.

Substantially similar in statutory approach though reasonable security measures may vary to some extent according to an organization’s circumstances and regulator interpretation.

Opt-Out Right for Personal Information Sales

Businesses must enable and comply with a consumer’s request to opt-out of the sale of personal information to third parties, subject to certain defenses.Must include a “Do Not Sell My Personal Information” link in a clear and conspicuous location on a website homepage.Must not request reauthorization to sell a consumer’s personal information for at least 12 months after the person opts-out.

The GDPR does not include a specific right to opt-out of personal data sales.However, the GDPR does contain other rights a data subject may use to obtain a similar result in certain circumstances. For example, it does permit data subjects, at any time, to:

Opt-out of processing data for marketing purposes.

Withdraw consent for processing activities.

This allows data subjects to opt- out of third-party sales that support marketing purposes or rely on consent for their legal processing basis.

Substantially different.

Children

The CCPA prohibits selling personal information of a consumer under 16 without consent.Children aged 13 – 16 can directly provide consent. Children under 13 require parental consent.Importantly, protections provided by the federal Children’s Online Privacy Protection Act (COPPA) still apply on top of the CCPA’s requirements.

The GDPR’s default age for consent is 16, although individual member state law may lower the age to no lower than 13. The person with parental responsibility must provide consent for children under the consent age.Children must receive an age appropriate privacy notice.Children’s personal data is subject to heightened security requirements.

Consumers have a right to request disclosure of their personal information, and to receive additional details regarding the personal information a business collects and its use purposes, including any third parties with which it shares information.

Data subjects have a right to access their personal data, including receiving a copy and to obtain certain information about the data controller’s processing.

Broadly similar rights of disclosure/access.The CCPA’s right is only to obtain a written disclosure of the information. The GDPR allows broader access, which is not limited to a written disclosure in a portable format.

Right of Data Portability

In response to a request for disclosure, a business must provide personal information in a readily useable format to enable a consumer to transmit the information from one entity to another entity without hindrance.

The GDPR includes a new right to data portability to:

Receive a copy of the personal data in a structured, commonly used and machine- readable format.

Transmit the personal data to another data controller (including directly by another data controller where possible).

Broadly similar rights.The GDPR provides a specific right to request a data controller to transfer their personal data to another data controller.

Right to Deletion / Erasure (The Right to be Forgotten)

A consumer has the right to deletion of personal information a business has collected, subject to certain exceptions.The business must also instruct its service providers to delete the data.

Data subjects have the right to request erasure of personal data under six circumstances (the right to be forgotten).Data controllers must also take reasonable steps to inform any other data controllers also processing the data.

Similar data deletion rights.The GDPR right only applies if the request meets one of six specific conditions while the CCPA right is broad.However, the CCPA also allows business to refuse the request on much broader grounds than the GDPR.The GDPR’s obligation to inform downstream data recipients of the person’s deletion request is also broader.

Right of rectification

None.

The GDPR grants data subjects the right to:

Correct inaccurate personal data.

Complete incomplete personal data.

Substantially different.

Right to Restrict Processing

None, other than the right to opt-out of personal information sales.

Right to restrict processing of personal data, under certain circumstances.

Substantially different.

Right to Object to Processing

None, other than the right to opt-out of personal information sales.

Right to object to processing for profiling, direct marketing, and statistical, scientific, or historical research purposes.

Substantially different.

Right to Object to Automated Decision-Making

None.

Data subjects have the right to not be subject to automated decision-making, including profiling, which has legal or other significant effects on the data subject, subject to certain exceptions.

Substantially different.

Non-Discrimination

A business must not discriminate against a consumer because they exercised their rights.However, a business may charge differently if that difference reasonably relates to the value provided by the consumer’s data.Businesses may also offer financial incentives if they are disclosed in terms or online privacy policy, and require opt-in consent.

It is implicit in the GDPR that organizations cannot discriminate against a data subject that exercises his rights, for example by references prohibiting processing that adversely affects the rights and freedoms of data subjects.

Respond within 45 days after receipt, potentially extendable once for another 45 or 90 days on customer notification.

Inform the consumer of the reasons for not taking action.

Provide the information free of charge, unless the request is manifestly unfounded or excessive.

Consumers may only make most information requests twice a year and only for a 12-month look-back. There are no limits on deletion and do not sell requests.

A data controller must:

Verify the identity of a data subject before responding to a request.

Respond to requests without undue delay and at the latest within one month., extendable for up to two more months if necessary after data subject notice.

Give reasons if the data controller does not comply with any requests.

Requests do not have to be free to data subjects.

Substantially similar.

Penalties (Private Rights of Action)

The CCPA establishes a narrow private right of action for certain data breaches involving a sub- set of personal information. However, the CCPA grants companies a 30-day period to cure violations, if possible.Consumers may seek the greater of actual damages or statutory damages ranging from $100 to $750 per consumer per incident.Courts may also impose injunctive or declaratory relief.

The GDPR establishes a private right of action for material or non-material damage caused by a data controller or data processors breach of the GDPR.

Substantially different in scope, but violations of either may potentially result in significant economic liability.

Penalties (Civil Fines)

The California AG may bring actions for civil penalties of $2,500 per violation, or up to $7,500 per violation if intentional. However, the CCPA also grants businesses a 30-day cure period for noticed violations.

Administrative fines can reach EUR20 million or 4% of annual global revenue, whichever is highest.EU Member States can impose their own penalties applicable to infringements of the GDPR that are not subject to administrative fines under Article 83, GDPR.

Approach to calculating fines differs, but violations of either may potentially result in significant economic liability.

Subscribe

If you wish to receive our latest news in your email box, just subscribe to our newsletter. We won’t spam you, we promise!

LA Blockchain Week

LA Blockchain Week is a series of world-class blockchain events designed to showcase Los Angeles as the leading Blockchain innovation and investment hub in the United States.

Subscribe

If you wish to receive our latest news in your email box, just subscribe to our newsletter. We won’t spam you, we promise!

LA Blockchain Week

LA Blockchain Week is a series of world-class blockchain events designed to showcase Los Angeles as the leading Blockchain innovation and investment hub in the United States.